Jason Monk | 3d5f551 | 2014-07-25 11:17:28 -0400 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2014 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | package com.android.systemui.statusbar.policy; |
| 17 | |
Selim Cinek | 24ac55e | 2014-08-27 12:51:45 +0200 | [diff] [blame] | 18 | import android.app.ActivityManager; |
Jason Monk | 3d5f551 | 2014-07-25 11:17:28 -0400 | [diff] [blame] | 19 | import android.app.admin.DevicePolicyManager; |
phweiss | e375fc4 | 2017-04-19 20:15:06 +0200 | [diff] [blame] | 20 | import android.content.BroadcastReceiver; |
Jason Monk | 3d5f551 | 2014-07-25 11:17:28 -0400 | [diff] [blame] | 21 | import android.content.Context; |
phweiss | e375fc4 | 2017-04-19 20:15:06 +0200 | [diff] [blame] | 22 | import android.content.Intent; |
| 23 | import android.content.IntentFilter; |
Daniel Nishi | 3956639 | 2016-03-24 15:06:57 -0700 | [diff] [blame] | 24 | import android.content.pm.ApplicationInfo; |
| 25 | import android.content.pm.PackageManager; |
Jason Monk | 3d5f551 | 2014-07-25 11:17:28 -0400 | [diff] [blame] | 26 | import android.content.pm.PackageManager.NameNotFoundException; |
Robin Lee | 9cb1d5f | 2015-04-16 17:01:49 +0100 | [diff] [blame] | 27 | import android.content.pm.UserInfo; |
Jason Monk | 3d5f551 | 2014-07-25 11:17:28 -0400 | [diff] [blame] | 28 | import android.net.ConnectivityManager; |
| 29 | import android.net.ConnectivityManager.NetworkCallback; |
| 30 | import android.net.IConnectivityManager; |
Jason Monk | 92b5c81 | 2014-08-21 13:44:18 -0400 | [diff] [blame] | 31 | import android.net.Network; |
Jason Monk | 3d5f551 | 2014-07-25 11:17:28 -0400 | [diff] [blame] | 32 | import android.net.NetworkCapabilities; |
| 33 | import android.net.NetworkRequest; |
phweiss | e375fc4 | 2017-04-19 20:15:06 +0200 | [diff] [blame] | 34 | import android.os.AsyncTask; |
| 35 | import android.os.Handler; |
Jason Monk | 3d5f551 | 2014-07-25 11:17:28 -0400 | [diff] [blame] | 36 | import android.os.RemoteException; |
| 37 | import android.os.ServiceManager; |
Robin Lee | 9cb1d5f | 2015-04-16 17:01:49 +0100 | [diff] [blame] | 38 | import android.os.UserHandle; |
| 39 | import android.os.UserManager; |
phweiss | e375fc4 | 2017-04-19 20:15:06 +0200 | [diff] [blame] | 40 | import android.security.KeyChain; |
| 41 | import android.security.KeyChain.KeyChainConnection; |
| 42 | import android.util.ArrayMap; |
Jason Monk | 3d5f551 | 2014-07-25 11:17:28 -0400 | [diff] [blame] | 43 | import android.util.Log; |
phweiss | e375fc4 | 2017-04-19 20:15:06 +0200 | [diff] [blame] | 44 | import android.util.Pair; |
Robin Lee | 9cb1d5f | 2015-04-16 17:01:49 +0100 | [diff] [blame] | 45 | import android.util.SparseArray; |
Jason Monk | 3d5f551 | 2014-07-25 11:17:28 -0400 | [diff] [blame] | 46 | |
Jorim Jaggi | acace94 | 2015-08-28 11:46:10 -0700 | [diff] [blame] | 47 | import com.android.internal.annotations.GuardedBy; |
Robin Lee | 6795a2ae | 2015-07-06 19:20:59 -0700 | [diff] [blame] | 48 | import com.android.internal.net.LegacyVpnInfo; |
Jason Monk | 3d5f551 | 2014-07-25 11:17:28 -0400 | [diff] [blame] | 49 | import com.android.internal.net.VpnConfig; |
Robin Lee | 4728345 | 2015-06-01 10:57:03 -0700 | [diff] [blame] | 50 | import com.android.systemui.R; |
Fabian Kozynski | 5ca7a51 | 2019-10-16 19:56:11 +0000 | [diff] [blame] | 51 | import com.android.systemui.broadcast.BroadcastDispatcher; |
Dave Mankoff | f473681 | 2019-10-18 17:25:50 -0400 | [diff] [blame] | 52 | import com.android.systemui.dagger.qualifiers.BgHandler; |
Jason Monk | 9c7844c | 2017-01-18 15:21:53 -0500 | [diff] [blame] | 53 | import com.android.systemui.settings.CurrentUserTracker; |
Jason Monk | 3d5f551 | 2014-07-25 11:17:28 -0400 | [diff] [blame] | 54 | |
| 55 | import java.io.FileDescriptor; |
| 56 | import java.io.PrintWriter; |
| 57 | import java.util.ArrayList; |
| 58 | |
Jason Monk | 196d639 | 2018-12-20 13:25:34 -0500 | [diff] [blame] | 59 | import javax.inject.Inject; |
| 60 | import javax.inject.Singleton; |
| 61 | |
| 62 | /** |
| 63 | */ |
| 64 | @Singleton |
Jason Monk | 9c7844c | 2017-01-18 15:21:53 -0500 | [diff] [blame] | 65 | public class SecurityControllerImpl extends CurrentUserTracker implements SecurityController { |
Jason Monk | 3d5f551 | 2014-07-25 11:17:28 -0400 | [diff] [blame] | 66 | |
| 67 | private static final String TAG = "SecurityController"; |
| 68 | private static final boolean DEBUG = Log.isLoggable(TAG, Log.DEBUG); |
| 69 | |
| 70 | private static final NetworkRequest REQUEST = new NetworkRequest.Builder() |
| 71 | .removeCapability(NetworkCapabilities.NET_CAPABILITY_NOT_VPN) |
| 72 | .removeCapability(NetworkCapabilities.NET_CAPABILITY_NOT_RESTRICTED) |
| 73 | .removeCapability(NetworkCapabilities.NET_CAPABILITY_TRUSTED) |
Chalard Jean | 5b0c7c6 | 2018-03-09 20:52:15 +0900 | [diff] [blame] | 74 | .setUids(null) |
Jason Monk | 3d5f551 | 2014-07-25 11:17:28 -0400 | [diff] [blame] | 75 | .build(); |
Jason Monk | 92b5c81 | 2014-08-21 13:44:18 -0400 | [diff] [blame] | 76 | private static final int NO_NETWORK = -1; |
| 77 | |
Daniel Nishi | 3956639 | 2016-03-24 15:06:57 -0700 | [diff] [blame] | 78 | private static final String VPN_BRANDED_META_DATA = "com.android.systemui.IS_BRANDED"; |
| 79 | |
phweiss | e375fc4 | 2017-04-19 20:15:06 +0200 | [diff] [blame] | 80 | private static final int CA_CERT_LOADING_RETRY_TIME_IN_MS = 30_000; |
| 81 | |
Jason Monk | 3d5f551 | 2014-07-25 11:17:28 -0400 | [diff] [blame] | 82 | private final Context mContext; |
| 83 | private final ConnectivityManager mConnectivityManager; |
Robin Lee | 9cb1d5f | 2015-04-16 17:01:49 +0100 | [diff] [blame] | 84 | private final IConnectivityManager mConnectivityManagerService; |
Jason Monk | 3d5f551 | 2014-07-25 11:17:28 -0400 | [diff] [blame] | 85 | private final DevicePolicyManager mDevicePolicyManager; |
Daniel Nishi | 3956639 | 2016-03-24 15:06:57 -0700 | [diff] [blame] | 86 | private final PackageManager mPackageManager; |
Robin Lee | 9cb1d5f | 2015-04-16 17:01:49 +0100 | [diff] [blame] | 87 | private final UserManager mUserManager; |
Jason Monk | 61936ee | 2018-12-21 12:41:34 -0500 | [diff] [blame] | 88 | private final Handler mBgHandler; |
Jorim Jaggi | acace94 | 2015-08-28 11:46:10 -0700 | [diff] [blame] | 89 | |
| 90 | @GuardedBy("mCallbacks") |
| 91 | private final ArrayList<SecurityControllerCallback> mCallbacks = new ArrayList<>(); |
Jason Monk | 3d5f551 | 2014-07-25 11:17:28 -0400 | [diff] [blame] | 92 | |
Robin Lee | 4728345 | 2015-06-01 10:57:03 -0700 | [diff] [blame] | 93 | private SparseArray<VpnConfig> mCurrentVpns = new SparseArray<>(); |
Selim Cinek | 24ac55e | 2014-08-27 12:51:45 +0200 | [diff] [blame] | 94 | private int mCurrentUserId; |
Robin Lee | 63204ee | 2015-06-04 01:53:01 +0100 | [diff] [blame] | 95 | private int mVpnUserId; |
Jason Monk | 3d5f551 | 2014-07-25 11:17:28 -0400 | [diff] [blame] | 96 | |
phweiss | e375fc4 | 2017-04-19 20:15:06 +0200 | [diff] [blame] | 97 | // Key: userId, Value: whether the user has CACerts installed |
| 98 | // Needs to be cached here since the query has to be asynchronous |
| 99 | private ArrayMap<Integer, Boolean> mHasCACerts = new ArrayMap<Integer, Boolean>(); |
| 100 | |
Jason Monk | 196d639 | 2018-12-20 13:25:34 -0500 | [diff] [blame] | 101 | /** |
| 102 | */ |
| 103 | @Inject |
Fabian Kozynski | 5ca7a51 | 2019-10-16 19:56:11 +0000 | [diff] [blame] | 104 | public SecurityControllerImpl(Context context, @BgHandler Handler bgHandler, |
| 105 | BroadcastDispatcher broadcastDispatcher) { |
| 106 | this(context, bgHandler, broadcastDispatcher, null); |
phweiss | 0dbf959 | 2017-05-11 15:31:27 +0200 | [diff] [blame] | 107 | } |
| 108 | |
Jason Monk | 61936ee | 2018-12-21 12:41:34 -0500 | [diff] [blame] | 109 | public SecurityControllerImpl(Context context, Handler bgHandler, |
Fabian Kozynski | 5ca7a51 | 2019-10-16 19:56:11 +0000 | [diff] [blame] | 110 | BroadcastDispatcher broadcastDispatcher, SecurityControllerCallback callback) { |
| 111 | super(broadcastDispatcher); |
Jason Monk | 3d5f551 | 2014-07-25 11:17:28 -0400 | [diff] [blame] | 112 | mContext = context; |
Jason Monk | 61936ee | 2018-12-21 12:41:34 -0500 | [diff] [blame] | 113 | mBgHandler = bgHandler; |
Jason Monk | 3d5f551 | 2014-07-25 11:17:28 -0400 | [diff] [blame] | 114 | mDevicePolicyManager = (DevicePolicyManager) |
| 115 | context.getSystemService(Context.DEVICE_POLICY_SERVICE); |
| 116 | mConnectivityManager = (ConnectivityManager) |
| 117 | context.getSystemService(Context.CONNECTIVITY_SERVICE); |
Robin Lee | 9cb1d5f | 2015-04-16 17:01:49 +0100 | [diff] [blame] | 118 | mConnectivityManagerService = IConnectivityManager.Stub.asInterface( |
| 119 | ServiceManager.getService(Context.CONNECTIVITY_SERVICE)); |
Daniel Nishi | 3956639 | 2016-03-24 15:06:57 -0700 | [diff] [blame] | 120 | mPackageManager = context.getPackageManager(); |
Robin Lee | 9cb1d5f | 2015-04-16 17:01:49 +0100 | [diff] [blame] | 121 | mUserManager = (UserManager) |
| 122 | context.getSystemService(Context.USER_SERVICE); |
Jason Monk | 3d5f551 | 2014-07-25 11:17:28 -0400 | [diff] [blame] | 123 | |
phweiss | 0dbf959 | 2017-05-11 15:31:27 +0200 | [diff] [blame] | 124 | addCallback(callback); |
| 125 | |
phweiss | e375fc4 | 2017-04-19 20:15:06 +0200 | [diff] [blame] | 126 | IntentFilter filter = new IntentFilter(); |
| 127 | filter.addAction(KeyChain.ACTION_TRUST_STORE_CHANGED); |
phweiss | 1a50c52 | 2019-10-21 19:41:09 +0200 | [diff] [blame] | 128 | filter.addAction(Intent.ACTION_USER_UNLOCKED); |
Fabian Kozynski | 5ca7a51 | 2019-10-16 19:56:11 +0000 | [diff] [blame] | 129 | broadcastDispatcher.registerReceiver(mBroadcastReceiver, filter, bgHandler, UserHandle.ALL); |
phweiss | e375fc4 | 2017-04-19 20:15:06 +0200 | [diff] [blame] | 130 | |
Jason Monk | 3d5f551 | 2014-07-25 11:17:28 -0400 | [diff] [blame] | 131 | // TODO: re-register network callback on user change. |
| 132 | mConnectivityManager.registerNetworkCallback(REQUEST, mNetworkCallback); |
Robin Lee | 63204ee | 2015-06-04 01:53:01 +0100 | [diff] [blame] | 133 | onUserSwitched(ActivityManager.getCurrentUser()); |
Jason Monk | 9c7844c | 2017-01-18 15:21:53 -0500 | [diff] [blame] | 134 | startTracking(); |
Jason Monk | 3d5f551 | 2014-07-25 11:17:28 -0400 | [diff] [blame] | 135 | } |
| 136 | |
| 137 | public void dump(FileDescriptor fd, PrintWriter pw, String[] args) { |
| 138 | pw.println("SecurityController state:"); |
Robin Lee | 4728345 | 2015-06-01 10:57:03 -0700 | [diff] [blame] | 139 | pw.print(" mCurrentVpns={"); |
| 140 | for (int i = 0 ; i < mCurrentVpns.size(); i++) { |
| 141 | if (i > 0) { |
| 142 | pw.print(", "); |
| 143 | } |
| 144 | pw.print(mCurrentVpns.keyAt(i)); |
| 145 | pw.print('='); |
| 146 | pw.print(mCurrentVpns.valueAt(i).user); |
| 147 | } |
| 148 | pw.println("}"); |
Jason Monk | 3d5f551 | 2014-07-25 11:17:28 -0400 | [diff] [blame] | 149 | } |
| 150 | |
| 151 | @Override |
Makoto Onuki | c8a5a55 | 2015-11-19 14:29:12 -0800 | [diff] [blame] | 152 | public boolean isDeviceManaged() { |
| 153 | return mDevicePolicyManager.isDeviceManaged(); |
Jason Monk | 3d5f551 | 2014-07-25 11:17:28 -0400 | [diff] [blame] | 154 | } |
| 155 | |
| 156 | @Override |
| 157 | public String getDeviceOwnerName() { |
Makoto Onuki | c8a5a55 | 2015-11-19 14:29:12 -0800 | [diff] [blame] | 158 | return mDevicePolicyManager.getDeviceOwnerNameOnAnyUser(); |
Jason Monk | 3d5f551 | 2014-07-25 11:17:28 -0400 | [diff] [blame] | 159 | } |
| 160 | |
| 161 | @Override |
Robin Lee | 9cb1d5f | 2015-04-16 17:01:49 +0100 | [diff] [blame] | 162 | public boolean hasProfileOwner() { |
Robin Lee | 4728345 | 2015-06-01 10:57:03 -0700 | [diff] [blame] | 163 | return mDevicePolicyManager.getProfileOwnerAsUser(mCurrentUserId) != null; |
Selim Cinek | 24ac55e | 2014-08-27 12:51:45 +0200 | [diff] [blame] | 164 | } |
| 165 | |
Robin Lee | 9cb1d5f | 2015-04-16 17:01:49 +0100 | [diff] [blame] | 166 | @Override |
| 167 | public String getProfileOwnerName() { |
Fyodor Kupolov | 7f98aa4 | 2016-04-07 14:56:25 -0700 | [diff] [blame] | 168 | for (int profileId : mUserManager.getProfileIdsWithDisabled(mCurrentUserId)) { |
| 169 | String name = mDevicePolicyManager.getProfileOwnerNameAsUser(profileId); |
Robin Lee | 9cb1d5f | 2015-04-16 17:01:49 +0100 | [diff] [blame] | 170 | if (name != null) { |
| 171 | return name; |
| 172 | } |
| 173 | } |
| 174 | return null; |
| 175 | } |
Selim Cinek | 24ac55e | 2014-08-27 12:51:45 +0200 | [diff] [blame] | 176 | |
| 177 | @Override |
Bartosz Fabianowski | 46bea2e | 2016-12-06 01:20:29 +0100 | [diff] [blame] | 178 | public CharSequence getDeviceOwnerOrganizationName() { |
| 179 | return mDevicePolicyManager.getDeviceOwnerOrganizationName(); |
| 180 | } |
| 181 | |
| 182 | @Override |
phweiss | 774c654 | 2017-04-12 19:32:55 +0200 | [diff] [blame] | 183 | public CharSequence getWorkProfileOrganizationName() { |
| 184 | final int profileId = getWorkProfileUserId(mCurrentUserId); |
| 185 | if (profileId == UserHandle.USER_NULL) return null; |
| 186 | return mDevicePolicyManager.getOrganizationNameForUser(profileId); |
| 187 | } |
| 188 | |
| 189 | @Override |
Robin Lee | 4728345 | 2015-06-01 10:57:03 -0700 | [diff] [blame] | 190 | public String getPrimaryVpnName() { |
Robin Lee | 63204ee | 2015-06-04 01:53:01 +0100 | [diff] [blame] | 191 | VpnConfig cfg = mCurrentVpns.get(mVpnUserId); |
Robin Lee | 4728345 | 2015-06-01 10:57:03 -0700 | [diff] [blame] | 192 | if (cfg != null) { |
Robin Lee | 63204ee | 2015-06-04 01:53:01 +0100 | [diff] [blame] | 193 | return getNameForVpnConfig(cfg, new UserHandle(mVpnUserId)); |
Robin Lee | 4728345 | 2015-06-01 10:57:03 -0700 | [diff] [blame] | 194 | } else { |
| 195 | return null; |
| 196 | } |
| 197 | } |
| 198 | |
phweiss | 774c654 | 2017-04-12 19:32:55 +0200 | [diff] [blame] | 199 | private int getWorkProfileUserId(int userId) { |
| 200 | for (final UserInfo userInfo : mUserManager.getProfiles(userId)) { |
| 201 | if (userInfo.isManagedProfile()) { |
| 202 | return userInfo.id; |
| 203 | } |
| 204 | } |
| 205 | return UserHandle.USER_NULL; |
| 206 | } |
| 207 | |
Robin Lee | 4728345 | 2015-06-01 10:57:03 -0700 | [diff] [blame] | 208 | @Override |
phweiss | 774c654 | 2017-04-12 19:32:55 +0200 | [diff] [blame] | 209 | public boolean hasWorkProfile() { |
| 210 | return getWorkProfileUserId(mCurrentUserId) != UserHandle.USER_NULL; |
| 211 | } |
| 212 | |
| 213 | @Override |
| 214 | public String getWorkProfileVpnName() { |
| 215 | final int profileId = getWorkProfileUserId(mVpnUserId); |
| 216 | if (profileId == UserHandle.USER_NULL) return null; |
| 217 | VpnConfig cfg = mCurrentVpns.get(profileId); |
| 218 | if (cfg != null) { |
| 219 | return getNameForVpnConfig(cfg, UserHandle.of(profileId)); |
Robin Lee | 4728345 | 2015-06-01 10:57:03 -0700 | [diff] [blame] | 220 | } |
| 221 | return null; |
| 222 | } |
| 223 | |
| 224 | @Override |
phweiss | a4e169e | 2016-11-24 16:20:57 +0100 | [diff] [blame] | 225 | public boolean isNetworkLoggingEnabled() { |
| 226 | return mDevicePolicyManager.isNetworkLoggingEnabled(null); |
| 227 | } |
| 228 | |
| 229 | @Override |
Jason Monk | 3d5f551 | 2014-07-25 11:17:28 -0400 | [diff] [blame] | 230 | public boolean isVpnEnabled() { |
Fyodor Kupolov | 7f98aa4 | 2016-04-07 14:56:25 -0700 | [diff] [blame] | 231 | for (int profileId : mUserManager.getProfileIdsWithDisabled(mVpnUserId)) { |
| 232 | if (mCurrentVpns.get(profileId) != null) { |
Robin Lee | 4728345 | 2015-06-01 10:57:03 -0700 | [diff] [blame] | 233 | return true; |
| 234 | } |
| 235 | } |
| 236 | return false; |
Jason Monk | 3d5f551 | 2014-07-25 11:17:28 -0400 | [diff] [blame] | 237 | } |
| 238 | |
| 239 | @Override |
Robin Lee | 80d5053 | 2015-10-06 15:58:30 +0100 | [diff] [blame] | 240 | public boolean isVpnRestricted() { |
| 241 | UserHandle currentUser = new UserHandle(mCurrentUserId); |
| 242 | return mUserManager.getUserInfo(mCurrentUserId).isRestricted() |
| 243 | || mUserManager.hasUserRestriction(UserManager.DISALLOW_CONFIG_VPN, currentUser); |
| 244 | } |
| 245 | |
| 246 | @Override |
Daniel Nishi | 3956639 | 2016-03-24 15:06:57 -0700 | [diff] [blame] | 247 | public boolean isVpnBranded() { |
| 248 | VpnConfig cfg = mCurrentVpns.get(mVpnUserId); |
| 249 | if (cfg == null) { |
| 250 | return false; |
| 251 | } |
| 252 | |
| 253 | String packageName = getPackageNameForVpnConfig(cfg); |
| 254 | if (packageName == null) { |
| 255 | return false; |
| 256 | } |
| 257 | |
| 258 | return isVpnPackageBranded(packageName); |
| 259 | } |
| 260 | |
| 261 | @Override |
phweiss | 774c654 | 2017-04-12 19:32:55 +0200 | [diff] [blame] | 262 | public boolean hasCACertInCurrentUser() { |
phweiss | e375fc4 | 2017-04-19 20:15:06 +0200 | [diff] [blame] | 263 | Boolean hasCACerts = mHasCACerts.get(mCurrentUserId); |
| 264 | return hasCACerts != null && hasCACerts.booleanValue(); |
phweiss | 774c654 | 2017-04-12 19:32:55 +0200 | [diff] [blame] | 265 | } |
| 266 | |
| 267 | @Override |
| 268 | public boolean hasCACertInWorkProfile() { |
phweiss | e375fc4 | 2017-04-19 20:15:06 +0200 | [diff] [blame] | 269 | int userId = getWorkProfileUserId(mCurrentUserId); |
| 270 | if (userId == UserHandle.USER_NULL) return false; |
| 271 | Boolean hasCACerts = mHasCACerts.get(userId); |
| 272 | return hasCACerts != null && hasCACerts.booleanValue(); |
phweiss | 774c654 | 2017-04-12 19:32:55 +0200 | [diff] [blame] | 273 | } |
| 274 | |
| 275 | @Override |
Jason Monk | 3128f12 | 2014-09-03 13:18:57 -0400 | [diff] [blame] | 276 | public void removeCallback(SecurityControllerCallback callback) { |
Jorim Jaggi | acace94 | 2015-08-28 11:46:10 -0700 | [diff] [blame] | 277 | synchronized (mCallbacks) { |
| 278 | if (callback == null) return; |
| 279 | if (DEBUG) Log.d(TAG, "removeCallback " + callback); |
| 280 | mCallbacks.remove(callback); |
| 281 | } |
Jason Monk | 3d5f551 | 2014-07-25 11:17:28 -0400 | [diff] [blame] | 282 | } |
| 283 | |
| 284 | @Override |
Jason Monk | 3128f12 | 2014-09-03 13:18:57 -0400 | [diff] [blame] | 285 | public void addCallback(SecurityControllerCallback callback) { |
Jorim Jaggi | acace94 | 2015-08-28 11:46:10 -0700 | [diff] [blame] | 286 | synchronized (mCallbacks) { |
| 287 | if (callback == null || mCallbacks.contains(callback)) return; |
| 288 | if (DEBUG) Log.d(TAG, "addCallback " + callback); |
| 289 | mCallbacks.add(callback); |
| 290 | } |
Jason Monk | 3d5f551 | 2014-07-25 11:17:28 -0400 | [diff] [blame] | 291 | } |
| 292 | |
Selim Cinek | 24ac55e | 2014-08-27 12:51:45 +0200 | [diff] [blame] | 293 | @Override |
| 294 | public void onUserSwitched(int newUserId) { |
| 295 | mCurrentUserId = newUserId; |
Fyodor Kupolov | 1c36315 | 2015-09-02 13:27:21 -0700 | [diff] [blame] | 296 | final UserInfo newUserInfo = mUserManager.getUserInfo(newUserId); |
| 297 | if (newUserInfo.isRestricted()) { |
Robin Lee | 63204ee | 2015-06-04 01:53:01 +0100 | [diff] [blame] | 298 | // VPN for a restricted profile is routed through its owner user |
Fyodor Kupolov | 1c36315 | 2015-09-02 13:27:21 -0700 | [diff] [blame] | 299 | mVpnUserId = newUserInfo.restrictedProfileParentId; |
Robin Lee | 63204ee | 2015-06-04 01:53:01 +0100 | [diff] [blame] | 300 | } else { |
| 301 | mVpnUserId = mCurrentUserId; |
| 302 | } |
Selim Cinek | 24ac55e | 2014-08-27 12:51:45 +0200 | [diff] [blame] | 303 | fireCallbacks(); |
| 304 | } |
| 305 | |
phweiss | 1a50c52 | 2019-10-21 19:41:09 +0200 | [diff] [blame] | 306 | private void refreshCACerts(int userId) { |
| 307 | new CACertLoader().execute(userId); |
phweiss | e375fc4 | 2017-04-19 20:15:06 +0200 | [diff] [blame] | 308 | } |
| 309 | |
Robin Lee | 4728345 | 2015-06-01 10:57:03 -0700 | [diff] [blame] | 310 | private String getNameForVpnConfig(VpnConfig cfg, UserHandle user) { |
| 311 | if (cfg.legacy) { |
| 312 | return mContext.getString(R.string.legacy_vpn_name); |
| 313 | } |
| 314 | // The package name for an active VPN is stored in the 'user' field of its VpnConfig |
| 315 | final String vpnPackage = cfg.user; |
| 316 | try { |
| 317 | Context userContext = mContext.createPackageContextAsUser(mContext.getPackageName(), |
| 318 | 0 /* flags */, user); |
| 319 | return VpnConfig.getVpnLabel(userContext, vpnPackage).toString(); |
| 320 | } catch (NameNotFoundException nnfe) { |
| 321 | Log.e(TAG, "Package " + vpnPackage + " is not present", nnfe); |
| 322 | return null; |
| 323 | } |
| 324 | } |
| 325 | |
Jason Monk | 3d5f551 | 2014-07-25 11:17:28 -0400 | [diff] [blame] | 326 | private void fireCallbacks() { |
Jorim Jaggi | acace94 | 2015-08-28 11:46:10 -0700 | [diff] [blame] | 327 | synchronized (mCallbacks) { |
| 328 | for (SecurityControllerCallback callback : mCallbacks) { |
| 329 | callback.onStateChanged(); |
| 330 | } |
Jason Monk | 3d5f551 | 2014-07-25 11:17:28 -0400 | [diff] [blame] | 331 | } |
| 332 | } |
| 333 | |
| 334 | private void updateState() { |
Robin Lee | 9cb1d5f | 2015-04-16 17:01:49 +0100 | [diff] [blame] | 335 | // Find all users with an active VPN |
Robin Lee | 4728345 | 2015-06-01 10:57:03 -0700 | [diff] [blame] | 336 | SparseArray<VpnConfig> vpns = new SparseArray<>(); |
Jason Monk | 3d5f551 | 2014-07-25 11:17:28 -0400 | [diff] [blame] | 337 | try { |
Robin Lee | 4728345 | 2015-06-01 10:57:03 -0700 | [diff] [blame] | 338 | for (UserInfo user : mUserManager.getUsers()) { |
| 339 | VpnConfig cfg = mConnectivityManagerService.getVpnConfig(user.id); |
Robin Lee | 6795a2ae | 2015-07-06 19:20:59 -0700 | [diff] [blame] | 340 | if (cfg == null) { |
| 341 | continue; |
| 342 | } else if (cfg.legacy) { |
| 343 | // Legacy VPNs should do nothing if the network is disconnected. Third-party |
| 344 | // VPN warnings need to continue as traffic can still go to the app. |
| 345 | LegacyVpnInfo legacyVpn = mConnectivityManagerService.getLegacyVpnInfo(user.id); |
| 346 | if (legacyVpn == null || legacyVpn.state != LegacyVpnInfo.STATE_CONNECTED) { |
| 347 | continue; |
| 348 | } |
Robin Lee | 4728345 | 2015-06-01 10:57:03 -0700 | [diff] [blame] | 349 | } |
Robin Lee | 6795a2ae | 2015-07-06 19:20:59 -0700 | [diff] [blame] | 350 | vpns.put(user.id, cfg); |
Jason Monk | 3d5f551 | 2014-07-25 11:17:28 -0400 | [diff] [blame] | 351 | } |
Robin Lee | 9cb1d5f | 2015-04-16 17:01:49 +0100 | [diff] [blame] | 352 | } catch (RemoteException rme) { |
| 353 | // Roll back to previous state |
| 354 | Log.e(TAG, "Unable to list active VPNs", rme); |
| 355 | return; |
Jason Monk | 3d5f551 | 2014-07-25 11:17:28 -0400 | [diff] [blame] | 356 | } |
Robin Lee | 4728345 | 2015-06-01 10:57:03 -0700 | [diff] [blame] | 357 | mCurrentVpns = vpns; |
Jason Monk | 3d5f551 | 2014-07-25 11:17:28 -0400 | [diff] [blame] | 358 | } |
| 359 | |
Daniel Nishi | 3956639 | 2016-03-24 15:06:57 -0700 | [diff] [blame] | 360 | private String getPackageNameForVpnConfig(VpnConfig cfg) { |
| 361 | if (cfg.legacy) { |
| 362 | return null; |
| 363 | } |
| 364 | return cfg.user; |
| 365 | } |
| 366 | |
| 367 | private boolean isVpnPackageBranded(String packageName) { |
| 368 | boolean isBranded; |
| 369 | try { |
| 370 | ApplicationInfo info = mPackageManager.getApplicationInfo(packageName, |
| 371 | PackageManager.GET_META_DATA); |
| 372 | if (info == null || info.metaData == null || !info.isSystemApp()) { |
| 373 | return false; |
| 374 | } |
| 375 | isBranded = info.metaData.getBoolean(VPN_BRANDED_META_DATA, false); |
| 376 | } catch (NameNotFoundException e) { |
| 377 | return false; |
| 378 | } |
| 379 | return isBranded; |
| 380 | } |
| 381 | |
Jason Monk | 3d5f551 | 2014-07-25 11:17:28 -0400 | [diff] [blame] | 382 | private final NetworkCallback mNetworkCallback = new NetworkCallback() { |
Jason Monk | 92b5c81 | 2014-08-21 13:44:18 -0400 | [diff] [blame] | 383 | @Override |
| 384 | public void onAvailable(Network network) { |
Robin Lee | 9cb1d5f | 2015-04-16 17:01:49 +0100 | [diff] [blame] | 385 | if (DEBUG) Log.d(TAG, "onAvailable " + network.netId); |
| 386 | updateState(); |
| 387 | fireCallbacks(); |
Jason Monk | 92b5c81 | 2014-08-21 13:44:18 -0400 | [diff] [blame] | 388 | }; |
| 389 | |
| 390 | // TODO Find another way to receive VPN lost. This may be delayed depending on |
| 391 | // how long the VPN connection is held on to. |
| 392 | @Override |
| 393 | public void onLost(Network network) { |
| 394 | if (DEBUG) Log.d(TAG, "onLost " + network.netId); |
Robin Lee | 9cb1d5f | 2015-04-16 17:01:49 +0100 | [diff] [blame] | 395 | updateState(); |
| 396 | fireCallbacks(); |
Jason Monk | 92b5c81 | 2014-08-21 13:44:18 -0400 | [diff] [blame] | 397 | }; |
Jason Monk | 3d5f551 | 2014-07-25 11:17:28 -0400 | [diff] [blame] | 398 | }; |
phweiss | e375fc4 | 2017-04-19 20:15:06 +0200 | [diff] [blame] | 399 | |
| 400 | private final BroadcastReceiver mBroadcastReceiver = new BroadcastReceiver() { |
| 401 | @Override public void onReceive(Context context, Intent intent) { |
| 402 | if (KeyChain.ACTION_TRUST_STORE_CHANGED.equals(intent.getAction())) { |
phweiss | 1a50c52 | 2019-10-21 19:41:09 +0200 | [diff] [blame] | 403 | refreshCACerts(getSendingUserId()); |
| 404 | } else if (Intent.ACTION_USER_UNLOCKED.equals(intent.getAction())) { |
| 405 | int userId = intent.getIntExtra(Intent.EXTRA_USER_HANDLE, UserHandle.USER_NULL); |
| 406 | if (userId != UserHandle.USER_NULL) refreshCACerts(userId); |
phweiss | e375fc4 | 2017-04-19 20:15:06 +0200 | [diff] [blame] | 407 | } |
| 408 | } |
| 409 | }; |
| 410 | |
| 411 | protected class CACertLoader extends AsyncTask<Integer, Void, Pair<Integer, Boolean> > { |
| 412 | |
| 413 | @Override |
| 414 | protected Pair<Integer, Boolean> doInBackground(Integer... userId) { |
| 415 | try (KeyChainConnection conn = KeyChain.bindAsUser(mContext, |
| 416 | UserHandle.of(userId[0]))) { |
| 417 | boolean hasCACerts = !(conn.getService().getUserCaAliases().getList().isEmpty()); |
| 418 | return new Pair<Integer, Boolean>(userId[0], hasCACerts); |
| 419 | } catch (RemoteException | InterruptedException | AssertionError e) { |
phweiss | 6f9cb15 | 2018-09-10 11:12:43 +0200 | [diff] [blame] | 420 | Log.i(TAG, "failed to get CA certs", e); |
phweiss | e375fc4 | 2017-04-19 20:15:06 +0200 | [diff] [blame] | 421 | return new Pair<Integer, Boolean>(userId[0], null); |
| 422 | } |
| 423 | } |
| 424 | |
| 425 | @Override |
| 426 | protected void onPostExecute(Pair<Integer, Boolean> result) { |
| 427 | if (DEBUG) Log.d(TAG, "onPostExecute " + result); |
| 428 | if (result.second != null) { |
| 429 | mHasCACerts.put(result.first, result.second); |
| 430 | fireCallbacks(); |
| 431 | } |
| 432 | } |
| 433 | } |
Jason Monk | 3d5f551 | 2014-07-25 11:17:28 -0400 | [diff] [blame] | 434 | } |